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Digital Advertising Checklist 


/ 1 Education and understanding 


Educating consumers 
— No one really understands what's going on and what's at stake 


(Harris Poll ICO/Ofcom) GDPR for marketers: 


Consent and 
Legitimate Interests 


Educating marketers 
— Black box solutions, defer to agency 


— Codes of conduct 
— Trade bodies 
Enforcement action 
Transparency 
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/ 2 Understand your data journey 


Companies are accountable for the personal data they process 


Define use cases for the collection and transfer or personal data 


Contracts are not sufficient, auditing is required. 


How DSPs, SSPs, and Ad Exchanges Work 


12 * 


==> 
EA —— 
> * > 
10 — 8e / Exchange 
f \ 
/ \ 


xchange RTB 
Key Auction 
Standard Ad Calls / Redirects 
— rin st 


Cookie ID Passed 


Cookie Stamps / Requests 
* 


Winning Bid / Redirect 
— UI re 


Final Ad Creative 
— 


/ 3 Conduct a Data Protection Impact 
Assessment (DPIA) 


e ADPIA will help assess whether the impact of processing is proportionate. 
— Data minimisation 


® 
— Privacy by design 1CO. 
— Identifies risk Sample DPIA template Information Commissioner's Office 


This template is an example of how you can record your DPIA process and 
outcome. It follows the process set out in our DPIA guidance, and you should read 
it alongside that guidance and the Criteria for an acceptable DPIA set out in 
European guidelines on DPIAs. 


Start to fill out the template at the beginning of any major project involving the use 
of personal data, or if you are making a significant change to an existing process. 
Integrate the final outcomes back into your project plan. 


Step 1: Identify the need for a DPIA 


Explain broadly what the project aims to achieve and what type of processing it 
involves. You may find it helpful to refer or link to other documents, such as a 
project proposal. Summarise why you identified the need for a DPIA. 


/ 4 Audit your data privacy managenient 


and supply chain 


Scrutinise suppliers 
— Due diligence 

— Insist on evidence 
— Contract 


ISO 27001 Information Security Management 
ISO 27701 Privacy Information Management 


GDPR Recital 81: 
“when entrusting a processor with processing activities, the 
controller should use only processors providing sufficient 


guarantees, in particular in terms of expert knowledge, 
reliability and resources, to implement technical and 
organisational measures which will meet the requirements of 
this Regulation” 


/ 5 Ensure special category data has’ 
explicit consent 


e Special category data requires explicit consent 


ft can be collected unintentionally from behaviours, combining data and 
also context 


e Understand what data you are processing, the risk and how you 
demonstrate consent 
Art.9 GDPR 


* Avoid processing in possible Processing of special categories of 
personal data 


1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or 
philosophical beliefs, or trade union membership, and the processing of genetic data, 
biometric data for the purpose of uniquely identifying a natural person, data concerning 
health or data concerning a natural person’s sex life or sexual orientation shall be 
prohibited. 


/ 6 Ensure that commercial benefits are 
assessed in context of risk 


Is the risk worth the return? 


What is Marketing Attribution? 

The Short Definition: Put simply, marketing attribution is 
the analytical science of determining which marketing 
tactics are contributing to sales or conversions. 
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